持久链接的类型
1. Persistent client connections pcc 持久的客户端连接
2. persistent port connections ppc 持久的端口连接
3. persistent netfilter marked packet persistence 防火墙标记的连接
4. ftp connections
主动21 20 打成一致的标签
被动 21 和一定范围的端口 打成一致标签
Pasv_min_port=10000
Pasv_max_port=20000
Pasv_address=n.n.n.n
/sbin/iptables –t mangle –A PREROUTING –p tcp –d n.n.n.n/32
--dport 21 –j MARK –set-mark 21
/sbin/iptables –t mangle –A PREROUNTING –p tcp –d n.n.n.n/32
--dport 10000:20000 –j MARK –set-mark 21
5. expired persistence 过期的持久连接
常用的是防火墙和ftp的持久链接
1. 持久的客户端连接
默认端口是0
只要是某一台固定的pc链接都会定义到某一固定的server上
[root@director Cluster]# ipvsadm -C
[root@director Cluster]# ipvsadm -A -t 192.168.2.100:0 -s rr -p
[root@director Cluster]# ipvsadm -a -t 192.168.2.100:0 -r 192.168.2.20 -g
[root@director Cluster]# ipvsadm -a -t 192.168.2.100:0 -r 192.168.2.30 -g
52-1
换地址
52-2
2.持久端口连接
[root@director ~]# ipvsadm -C
[root@director ~]#
[root@director ~]#
[root@director ~]# ipvsadm -A -t 192.168.2.100:80 -p -s rr
invalid timeout value `-s' specified
[root@director ~]# ipvsadm -A -t 192.168.2.100:80 -s -p rr
unexpected argument rr
[root@director ~]# ipvsadm -A -t 192.168.2.100:80 -s rr -p
[root@director ~]# ipvsadm -A -t 192.168.2.100:22 -s rr -p
[root@director ~]# ipvsadm -a -t 192.168.2.100:80 -r 192.168.2.20 -g
[root@director ~]# ipvsadm -a -t 192.168.2.100:80 -r 192.168.2.30 -g
[root@director ~]# ipvsadm -a -t 192.168.2.100:22 -r 192.168.2.10
[root@director ~]#
[root@director ~]#
[root@director ~]# ipvsadm -Ln
IP Virtual Server version (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.2.100:80 rr persistent 360
-> 192.168.2.30:80 Route 1 0 2
-> 192.168.2.20:80 Route 1 0 0
TCP 192.168.2.100:22 rr persistent 360
-> 192.168.2.10:22 Local 1 0 0
[root@director ~]#
3.防火墙标记的连接
--具有依赖关系的 会被分配到不同的服务器上80 443; 21 20
Mangle表格主要用作tos数据包类型服务的。
只有在director server生效 ,real server 看不到
1.做Ca
[root@server2 ~]# vim /etc/pki/tls/
45 dir = /etc/pki/CA # Where everything is kept
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
:88,90 s/match/potional
[root@server2 ~]#
[root@server2 ~]# cd /etc/pki/CA/
[root@server2 CA]# mkdir crl certs newcerts
[root@server2 CA]# touch index.txt serail
[root@server2 CA]# echo "01">>serial
[root@server2 CA]# cat serial
01
[root@server2 CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
......................................++++++
.............++++++
e is 65537 (0x10001)
[root@server2 CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Newbury]:zz
Organization Name (eg, company) [My Company Ltd]:zzu
Organizational Unit Name (eg, section) []:lib
Common Name (eg, your name or your server's hostname) []:web1.zzu.com
Email Address []:
[root@server2 CA]# chmod 600 private*
[root@server2 CA]# mkdir /etc/httpd/certs
[root@server2 CA]# cd /etc/httpd/certs
[root@server2 certs]# openssl genrsa 1024 >httpd.key
Generating RSA private key, 1024 bit long modulus
........++++++
..........................++++++
e is 65537 (0x10001)
[root@server2 certs]# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Newbury]:zz
Organization Name (eg, company) [My Company Ltd]:zzu
Organizational Unit Name (eg, section) []:lib
Common Name (eg, your name or your server's hostname) []:server1.zzu.com
[root@server2 certs]# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 24 21:48:07 2011 GMT
Not After : Aug 23 21:48:07 2012 GMT
Subject:
countryName = cn
stateOrProvinceName = hn
organizationName = zzu
organizationalUnitName = lib
commonName = server1.zzu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E0:1E:9B:B8:B6:4E:61:7C:4B:D5:87:86:3B:D0:94:39:26:F4:B2:94
X509v3 Authority Key Identifier:
keyid:0A:C8:47:0D:AC:11:A8:E5:D0:D4:9E:F6:F8:18:F4:00:54:01:1C:E6
Certificate is to be certified until Aug 23 21:48:07 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@server2 certs]#
[root@server2 certs]# chmod 600 *
[root@server2 certs]# cd /mnt/cdrom/Server/
[root@server2 Server]# rpm -ivh mod_ssl
error: open of mod_ssl failed: No such file or directory
[root@server2 Server]# rpm -ivh mod_ssl--22.el5.i386.rpm
warning: mod_ssl--22.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
error: Failed dependencies:
libdistcache.so.1 is needed by mod_ssl--22.el5.i386
libnal.so.1 is needed by mod_ssl--22.el5.i386
[root@server2 Server]#
[root@server2 Server]# rpm -ivh distcache--14.1.i386.rpm
[root@server2 Server]# rpm -ivh mod_ssl--22.el5.i386.rpm
[root@server2 Server]# vim /etc/httpd/conf.d/ssl.conf
112 SSLCertificateFile /etc/httpd/certs/httpd.crt
119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key
128 SSLCertificateChainFile /etc/pki/CA/cacert.pem
[root@server2 Server]# service httpd restart
Server1的证书
[root@server1 certs]# vim /etc/pki/tls/openssl.cnf
[root@server1 certs]# cd /etc/pki/CA/
[root@server1 CA]# mkdir crl certs newcerts
[root@server1 CA]# touch serial index.txt
[root@server1 CA]# echo "01" >serial
[root@server1 CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
......++++++
.............++++++
e is 65537 (0x10001)
[root@server1 CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Newbury]:zz
Organization Name (eg, company) [My Company Ltd]:zzu
Organizational Unit Name (eg, section) []:lib
Common Name (eg, your name or your server's hostname) []:server.zzu.com
[root@server1 CA]# cd /etc/httpd/certs/
[root@server1 certs]# openssl genrsa 1024 >httpd.key
[root@server1 certs]# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Newbury]:zz
Organization Name (eg, company) [My Company Ltd]:zzu
Organizational Unit Name (eg, section) []:lib
Common Name (eg, your name or your server's hostname) []:server.zzu.com
[root@server1 certs]# openssl ca -in httpd.csr -out httpd.crt
[root@server1 certs]# chmod 600 *
[root@server2 Server]# scp /etc/httpd/conf.d/ssl.conf 192.168.2.20:/etc/httpd/conf.d/ssl.conf
The authenticity of host '192.168.2.20 (192.168.2.20)' can't be established.
RSA key fingerprint is 59:bf:a9:d0:92:8d:9e:90:85:08:52:82:b0:65:26:50.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '192.168.2.20' (RSA) to the list of known hosts.
[email protected]'s password:
ssl.conf 100% 9649 9.4KB/s 00:00
[root@server2 Server]#
[root@server1 certs]# service httpd restart
持久连接测试
[root@director ~]# ipvsadm -C
[root@director ~]# ipvsadm Ln
Try `ipvsadm -h' or 'ipvsadm --help' for more information.
[root@director ~]# ipvsadm -Ln
IP Virtual Server version (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
[root@director ~]# iptables -t mangle -A PREROUTING -i eth0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
[root@director ~]# ipvsadm -A -f 1 -s rr -p 3600
[root@director ~]# ipvsadm -a -f 1 -r 192.168.2.20 -g
[root@director ~]# ipvsadm -a -f 1 -r 192.168.2.30 -g
[root@director ~]#